Archive for the ‘General’ Category

Bash Code Injection Vulnerability aka ShellShock

Sunday, September 28th, 2014

A recently discovered vulnerability in bash left many servers open to exploit.

There are many resources on the subject.

I ran into a problem where the vendors were not releasing updates for bash on RHEL4 / CentOS 4 boxes, with good reason, since RHEL 4 has been EOL from March 2012.

Unfortunately the fact that an OS is EOL does not solve the problems that arise in cases like these.

Many people have valid reasons for running outdated and unsupported OSes.

In any event, I needed a fix for the problem.

Attached you will find my source RPM for RHEL4 / CentOS4 systems that you can use to compile a patched version of bash.

I’ve included the patches for both CVE-2014-6271 and CVE-2014-7169.

For more details please see: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)

Download Patched Source RPM: bash-3.0-27.3.src.rpm

Courier-IMAP 4.x and later with Plesk 8.3

Tuesday, August 3rd, 2010

I have not confirmed this problem in any version other than Plesk 8.3.0, simply because I have not had the time. :(

According to the Parallels forums and documentation, you should be able to upgrade the version of Courier-IMAP running on the server to any later version.

I however attempted to upgrade to Courier-IMAP 4.7.0 and 4.8.0 using authlib 0.6.3 with no success.

Then I read the following entry in the Courier-IMAP Changelog:

2004-11-05 Mr. Sam

* pop3dserver.c (main): Authenticated address is in AUTHENTICATED,
not AUTHADDR, now.

It would appear that this one change, breaks the authpsa authentication module so that one can not implement later versions of Courier-IMAP on Plesk 8.3.0, since authpsa expects the authentication information in the AUTHADDR shell variable.

webmailmng Strange error

Saturday, January 16th, 2010

After applying hotfix 1 for Plesk 9.2.3, we started experiencing strange problems with webmail, in our case atmail, but it may apply to horde as well, on the server.

A typical example of an error would be:

Unable to get options for atmail webmail

Looking at the files installed by the hotfix, you will notice that the hotfix installs a new copy of:

/usr/local/psa/admin/sbin/webmailmng

which is why the problem starts.

There is a BUG in the newer /usr/local/psa/admin/sbin/webmailmng

Instead of trying to access the config files in

/etc/psa/webmail/atmail/atmail.conf

the new version now looks for a config file in

/etc/psa-webmail/atmail/atmail.conf

My quick workaround is to simply, make /etc/psa-webmail/atmail/ a symbolic link to /etc/psa/webmail/atmail/ which seems to temporarily solve the problem.

The permanent fix is apparently to upgrade to Plesk 9.3.0, which was available at the time of writing.

Auto reboot on kernel panic

Monday, January 11th, 2010

I ran into a machine that for some unexplained reason would hit a kernel bug and then get a kernel panic.

This usually left the machine in an usable state, requiring a reboot.

After some googling, I found an answer.

Kudos to Vivek Gite from http://www.cyberciti.biz/ for his post

Below are the important bits:

Edit /etc/sysctl.conf file

# vi /etc/sysctl.conf

The arguments below, instructs the kernel to reboot 10 seconds after a kernel panic occurs

kernel.panic = 10

It is of course possible to make the 10 seconds as long as you need.

Save the file and apply the setting.

# sysctl -p

vi Reference Card

Wednesday, December 2nd, 2009

This is a vi cheat sheet, showing most of the common vi functions. I found myself every now and again forgetting some of the common functions that I do not use every day. This document, which is copyrighted by its author, helped me out a few times.

Get the vi Reference Sheet.

Duplicate RPM entries

Monday, November 9th, 2009

I was seeing duplicate RPM entries for almost all the installed RPMs on my new x86_64 server running CentOS 5.3

After a bit of reading I found out that it is due to the i386 and x86_64 libraries being installed on my 64-bit machine.

A little more reading later and I found the solution, which is simply to specify a different query format for RPM

vi /etc/rpm/macros

%_query_all_fmt %%{name}-%%{version}-%%{release}.%%{arch}

Plesk 9.2.x & tomcat5

Saturday, September 12th, 2009

The startup scripts for tomcat5 on Plesk 9.2.x for Linux is broken on both 32-bit and 64-bit platforms, at very least for CentOS 5.

The fix is trivial.

Set the JAVA_HOME variable in the /etc/tomcat5/tomcat5.conf file as well as the /etc/sysconfig/tomcat5 file.

Apply the following fix to the /usr/bin/dtomcat5 script.

Around line 67 of the file it should read:

if [ -z “$CATALINA_HOME” ]; then
    TOMCAT_CFG=”/etc/tomcat5/tomcat5.conf”
fi

Change the above code, by adding one line, so it reads as follows:

if [ -z “$CATALINA_HOME” ]; then
    TOMCAT_CFG=”/etc/tomcat5/tomcat5.conf”
    . “${TOMCAT_CFG}”
fi

Testing the change can be achieved by running the following command:

tomcat5 version

It should produce output similar to the information below:

Using CATALINA_BASE: /usr/share/tomcat5
Using CATALINA_HOME: /usr/share/tomcat5
Using CATALINA_TMPDIR: /usr/share/tomcat5/temp
Using JRE_HOME:
Server version: Apache Tomcat/5.5.23
Server built: Jul 27 2009 05:24:08
Server number: 5.5.23.0
OS Name: Linux
OS Version: 2.6.18-128.7.1.el5
Architecture: amd64
JVM Version: 1.6.0-b09
JVM Vendor: Sun Microsystems Inc.

Strange FrontPageAlias() problem on Plesk ….

Wednesday, December 17th, 2008

The FrontPage hit counter for a site was not working. I kept on getting the following error in the log file of a domain that has FrontPage enabled:

Incorrect permissions on webroot “/var/www/vhosts/example.com/httpdocs/_vti_pvt” and webroot’s _vti_pvt directory in FrontPageAlias().

Changing to the website’s httpdocs directory and running the command below, fixed the problem.

chgrp psaserv _vti_pvt

Thank you goes to zymsys

Redirecting outgoing traffic ….

Monday, December 15th, 2008

It may become necessary to redirect some outgoing traffic to a different IP address from time to time ….

Recently the route to a mail server became unreachable from our mail server and we had to route traffic via an alternative relay server.

I achieved this using the trusty old iptables.

Here is the rule:

iptables -t nat -A OUTPUT -d <OriginalDestinationIPAaddress> -p tcp –dport <OriginalDestinationPort> -j DNAT –to-destination &ltNewDestinationIPAddress>:<NewDestinationPort>

sqlite version 2.8.x and PHP 5.2.x

Thursday, August 21st, 2008

It seems straight forward if you read the PHP manual …. just do a pecl install sqlite …. but most things in live is not that simple. :( The above command gave me the following error:

../SQLite-1.0.3/sqlite.c:56: error:
‘BYREF_NONE’ undeclared here (not in a function)
../SQLite-1.0.3/sqlite.c:56: error:
‘BYREF_FORCE’ undeclared here (not in a function)
../SQLite-1.0.3/sqlite.c:125: warning:
initialization from incompatible pointer type
../SQLite-1.0.3/sqlite.c:126: warning:
initialization from incompatible pointer type
make: *** [sqlite.lo] Error 1
ERROR: `make’ failed

Thanks to a post I found on phpbuilder.com, I can post the solution below:

PHP 5 is compiled with “–without sqlite”.

Start with installing php-pecl-sqlite

$ pear download sqlite
OR
$ wget -q http://pecl.php.net/get/SQLite-1.0.3.tgz

then unpacked and began to compile it

$ tar zxvf SQLite-1.0.3.tgz
$ cd SQLite-1.0.3
$ phpize
$ ./configure
$ make

make failed here with some offset error

edit sqlite.c, comment out the following line:
/* static unsigned char arg3_force_ref[] = {3, BYREF_NONE, BYREF_NONE, BYREF_FORCE }; */

And then change these lines

function_entry sqlite_functions[] = {
PHP_FE(sqlite_open, arg3_force_ref)
PHP_FE(sqlite_popen, arg3_force_ref)
to:
function_entry sqlite_functions[] = {
PHP_FE(sqlite_open, third_arg_force_ref)
PHP_FE(sqlite_popen, third_arg_force_ref)

$ make
$ make install
$ service httpd restart

Ubuntu 8.04 Hardy and the HP LaserJet 1020

Saturday, May 10th, 2008

I installed a copy of Ubuntu 8.04 tonight. It is a lovely piece of software to say the least. Almost everything worked out-of-the-box. Unfortunately it did not want to print to my HP LJ 1020. Luckily a search on Google quickly revealed a solution:

On Hardy Heron isn’t more necessary to install the drivers from http://foo2zjs.rkkda.com/ since that the it installs the correct drivers and hp programs. It’s only necessary to download the printer’s firmware since that Ubuntu can’t delivery it cause of license and/or patent restriction. At terminal and as root (or using sudo), just type:

# hp-setup (as root)

OR

$ sudo hp-setup (as sudoer)

and follow-up the wizard. It’s straightforward. :)

A big thank you goes to Danpros for the info in this post.

Law of Logical Argument

Thursday, May 8th, 2008

I was reading an article on some site and read the following phrase. I thought it is so appropriate that I had to include it in my blog.

Law of Logical Argument:
Anything is possible if you don’t know what you are talking about.

PHP 5.2.5 and Plesk 8.1.x and Plesk 8.2.x …

Monday, December 10th, 2007

Oops, the latest version of PHP breaks a few things on Plesk 8.1.x and Plesk 8.2.x installations. It propably affects other installations as well, but I stopped testing since I was only interested in Plesk 8.2.x and later.

According to atomicrocketturtle the problem will be fixed in Plesk 8.3. We will just have to wait and see.

On rackerhacker‘s blog I found a very elegant solution to the problem that was provided by Kevin M.

I repeat the entry from rackerhacker‘s blog:

There’s a few issues with PHP 5.2.5 and the version of Horde that is bundled with Plesk 8.1.x and 8.2.x. The PHP include paths that appear in the Apache configuration generated by Plesk conflict with the PHP installation, and that causes the Horde webmail interface to segmentation fault.

To fix the problem, create a file called /etc/httpd/conf.d/zz050a_horde_php_workaround.conf and put the following inside it:

<DirectoryMatch /usr/share/psa-horde>
php_admin_value include_path "/usr/share/psa-horde/lib:/usr/share/psa-horde:/usr/share/psa-horde/pear:."
</DirectoryMatch>

Reload the Apache configuration and your Horde installation should work properly with PHP 5.2.5.

Freeing some file descriptors in Plesk 8.2.0 and later …

Monday, December 10th, 2007

Finally, SWSoft has come to the party and added piped logging into the Plesk configuration. This is simply fantastic since it has enabled me to run many more websites on a shared hosting server. Yay!!

To enable piped Apache logs, do the following:

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "replace into misc (param,val) values ('apache_pipelog', 'true');"
# /usr/local/psa/admin/sbin/websrvmng -v -a

A big “thank you” goes to Racker Hacker for this piece of information.

WAP access

Saturday, December 1st, 2007

You are welcome to access this blog via your WAP browser on your cellphone.

The WAP URL is: http://www.swart.org.za/wordpress/wap.php (This link will not work in a normal non-WAP enabled browser.)

Urrgghh …. FrontPage!

Saturday, December 1st, 2007

10 December 2007: I have not been able to get this solution to work at all, even though mod_frontpage is compiled against Apache 2.2.

20 December 2007: I have found enough time to spend hours on debugging the problem and I have successfully been able to get mod_frontpage working on my CentOS 5 server running Plesk 8.2.1 and Apache 2.2. I have updated the article below where needed.

As most of you are aware, Microsoft FrontPage (FP) has long ago reached its end-of-life. Microsoft no longer distributes FrontPage or FrontPage Server Extensions (FPSE). Now, this may be all well enough and most us understand why. The problem unfortunately lies with the user base. Many people still use and rely on the old outdated versions of Microsoft FrontPage.

SWSoft stopped shipping FPSE as of Plesk version 8.1.0. The last version of FPSE that I could locate was in version 8.0.1 of Plesk.

Version 8.0.1 was also never released for CentOS5 or Red Hat Enterprise Linux 5 (RHEL5), which means that there are effectively no RPMs for FPSE, that was compiled against Apache 2.2.x.

This effectively meant that you had to search for an OLD copy of fp50.lin.tar.gz and compile it yourself. Not the most ideal solution.

Enter, crash. crash provided the solution to the problem on SWSoft’s forum. I will be repeating most of crash’s post below.

You will need one of the older SWSoft FPSE RPM’s. I used frontpage-5.0-72psa.centos4.2 and frontpage-5.0-72psa.rhel4. The RPMs are located in the Plesk 8.0.1 .tar.gz file, in the ./opt/fp directory.

You will need to install one of the above RPM’s onto your system.

Once installed, do the following:

cd ~
mkdir frontpage-5.0
cd frontpage-5.0
cp -afr /usr/local/frontage .
cd ..
tar -cvf frontpage-5.0.tgz ./frontpage-5.0/

You should now have a frontpage-5.0.tgz file, that will be used.

crash provided the following patches to have mod_frontpage compile against Apache 2.2.x. (The patches should allow you to compile mod_frontpage against Apache 2.0.x or Apache 2.2.x [There are a few tiny differences])

Download the patches: FrontPage Server Extension Patches for CentOS5 and Apache 2.2.x (The file was updated on 20 December 2007)

You need to have the httpd-devel RPM installed. yum install httpd-devel, will usually be sufficient.

Now do the following:

cd /usr/src/redhat
tar zxvf mod_frontpage-patches.tgz
cd SPECS
rpmbuild -bb frontpage.spec

If all goes well, the RPM build process should complete without any errors and you will have a brand new RPM to install FPSE with on CentOS5/RHEL5.

Credit to crash’s post. I discovered a few bugs in the patches originally provided by crash.

A few tips:

  1. If you installed the SWSoft RPM, you need to remove the mod_frontpage entry from the LoadModules section in the /etc/httpd/conf/httpd.conf file. If you do not Apache will complain that mod_frontpage is already loaded when you restart Apache.
  2. I have commented out the last 3 lines from /etc/httpd/conf.d/mod_frontpage.conf. Plesk already caters for this in the httpd.include file in each vhost.
  3. FrontPage Administration Pages only work in Internet Explorer, or at least for me.
  4. The FrontPage Server Extensions are EXTREMELY sensitive to file permissions.

The daemons that bugged me.

Saturday, December 1st, 2007

With every major enterprise Linux release, Red Hat adds a number of new daemons to the startup of the server. Most of these daemons has a very clear function. I have however pondered what all the daemons are for. Although nice to have many of the daemons simply eats away at your resources and if not needed should really be disabled.

Red Hat was kind enough to release the following information in the Red Hat Magazine article, with the heading: “Understanding your (Red Hat Enterprise Linux) daemons“.

Of course the above information is very handy for CentOS, which is based on Red Hat Enterprise Linux.

Upgrade ….

Saturday, December 1st, 2007

After a very long time I had to revert back to my blog and saw it needed a bit of TLC so I upgraded it to the latest available version of WordPress.

The old theme is broken in the new version so I reverted to the “WordPress Default”, for the time being.

Re-writing the source with iptables.

Friday, March 2nd, 2007

Recently I ran into a problem where my primary IP address on the server was blacklisted. This had the negative effect that mail being sent from the server to other servers that use the blacklist, blocked our emails.

In a shared hosting environment, one user can easily get a server blacklisted.

All our servers have at least 2 publicly accessible IP addresses. I thought that it would be great if I could get the mail to appear to be from one of the secondary IP addresses.

Below is a iptables rule, that achieves just this:

iptables -t nat -A POSTROUTING -o eth0 \
-s <primaryIPAddress>/32 -p tcp --dport 25 \
-j SNAT --to-source <secondaryIPAddress>

Plesk 8.x – Disabling the newsfeeds.

Saturday, February 24th, 2007

Yes, SWsoft decided that our users should be bombarded with news feeds. This may be a feature that certain users like or desire, but as the system administrator you are not given a choice.

I believe choice is important, especially in a product that costs many dollars.

Here is some perl code to disable the newsfeeds:

For clients:

$query = "SELECT id FROM clients WHERE login='$client'";
@cID = $queryDBpsa->($query);
$query = "REPLACE INTO cl_param (param, val , cl_id) VALUES ('news_dismissed', '1', '$cID[0]');";
$queryDBpsa->($query);

For domains:

$query = "SELECT id FROM domains WHERE name='$domain'";
@dID = $queryDBpsa->($query);
$query = "REPLACE INTO dom_param (param, val , dom_id) VALUES ('news_dismissed', '1', '$dID[0]');";
$queryDBpsa->($query);